Mobile malware is software created to infect or gain access to mobile devices such as [[cell phones]], [[tablets]], and [[PDAs]].

−

Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].

+

−

== Also see ==

+

== History ==

−

* [[Mount shadow volumes on disk images]]

+

Mobile malware was initially considered to be a hoax until it became obvious that malicious software existed and functioned on mobile devices. The earliest recorded mobile malware was called Cabir. It was released in 2004 and was designed to infect [[Symbian]] OS platforms via a Bluetooth connection. It was essentially harmless, but nonetheless proved to the public that worms could be found on mobile devices.

Since mobile devices usually contain private and valuable information, mobile malware has recently began moving toward having a specific purpose (usually exploiting information) as opposed to viruses created solely for bragging rights.

−

* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010

* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011

* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012

+

−

== Tools ==

+

== Attack Types ==

−

* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)

+

=== Bluetooth ===

−

* [[libvshadow]]

+

Attacks via [[Bluetooth]] have the ability to infect any phone with Bluetooth capabilities and can even exploit feature phones. These proximity-based attacks use the local Bluetooth network, usually in a crowded area, to send unwarranted requests to phones. Since Bluetooth can be used to transmit files, malicious executables can be sent across the network to everybody that accepts the request and installs the software. Some of these attacks, such as the Cabir, are worms which send out the request from an infected phone without the user knowing, thus quickly spreading it from phone to phone. Protection from these attacks is simple - cell phone users should not leave Bluetooth on, and it if is left on, users should not accept requests from unknown connections.

−

* [[ProDiscover]]

+

−

* [http://www.shadowexplorer.com/ ShadowExplorer]

+

−

* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]

+

−

* [[X-Ways AG|X-Ways Forensics]]

+

−

[[Category:Volume Systems]]

+

=== Application Marketplace ===

+

Malicious software can be installed via application marketplaces. For example, according to webroot.com, applications disguised as Angry Birds level unlockers were available in the Android Market. Once installed, the creator had access to precious information such as browsing history, bookmarks, etc. The application also contacted a remote server that gave the phone instructions for downloading additional malware.

+

+

To protect against this kind of attack, users can judge the legitimacy of the application with a few simple guidelines. Applications that require a lot of permissions for no apparent reason should be avoided. Also, the credibility of a publisher can easily be researched if the user is unsure.

+

+

=== WiFi ===

+

Information can be stolen from devices when they are connected to public [[WiFi]] hotspots. Users should not do banking, shopping, or other tasks that expose personal information while connected to unsecured networks. This is not an issue unique to mobile devices, but because of the nature of mobile devices, they are more likely to be used in public places on these networks.

+

+

=== SMS ===

+

[[SMS]] attacks are generally similar to each other. Malicious software is installed on the phone by some means which continually sends unnoticed text messages from the user's phone to premium numbers which creates charges on the user's account. According to Kaspersky Labs, the SMS-Trojan was first discovered for the Android operating system in early 2011. The news report says, "The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform." To protect against these attacks, users should be cautious of what applications are installed on their devices and who the creators of the applications are.

+

+

SMS attacks can also simply be spam messages with links to malicious sites. The problem with this type of attack is that it must target specific phones in order to execute scripts that are compatible.

+

+

=== QR Codes ===

+

Because [[QR Codes]] are completely obfuscated by nature, they provide the means of taking curious smartphone users to malicious web sites. There are three ways QR codes can be maliciously presented to a user. The first method is placing a QR code by itself with no explanation or context, causing some people to get curious and scan it. The second way of getting people to scan the code is to place a stamp or sticker over an existing one so that it is disguised as a harmless QR code. The third way of presenting malicious codes to the public would be digitally through email.

+

+

QR Code attacks work by taking the person that scans it to a website that performs malicious activities. For example, according to darkreading.com, a QR code that is distributed to target iOS devices might navigate the web browser to a site that will jailbreak the phone and then install malware on it once the built in security can be altered.

+

+

To protect against these attacks, smartphone users should only scan QR codes with software that allow them to confirm the action the code elicits.

Contents

History

Mobile malware was initially considered to be a hoax until it became obvious that malicious software existed and functioned on mobile devices. The earliest recorded mobile malware was called Cabir. It was released in 2004 and was designed to infect Symbian OS platforms via a Bluetooth connection. It was essentially harmless, but nonetheless proved to the public that worms could be found on mobile devices.

Recent Trends

Since mobile devices usually contain private and valuable information, mobile malware has recently began moving toward having a specific purpose (usually exploiting information) as opposed to viruses created solely for bragging rights.

Attack Types

Bluetooth

Attacks via Bluetooth have the ability to infect any phone with Bluetooth capabilities and can even exploit feature phones. These proximity-based attacks use the local Bluetooth network, usually in a crowded area, to send unwarranted requests to phones. Since Bluetooth can be used to transmit files, malicious executables can be sent across the network to everybody that accepts the request and installs the software. Some of these attacks, such as the Cabir, are worms which send out the request from an infected phone without the user knowing, thus quickly spreading it from phone to phone. Protection from these attacks is simple - cell phone users should not leave Bluetooth on, and it if is left on, users should not accept requests from unknown connections.

Application Marketplace

Malicious software can be installed via application marketplaces. For example, according to webroot.com, applications disguised as Angry Birds level unlockers were available in the Android Market. Once installed, the creator had access to precious information such as browsing history, bookmarks, etc. The application also contacted a remote server that gave the phone instructions for downloading additional malware.

To protect against this kind of attack, users can judge the legitimacy of the application with a few simple guidelines. Applications that require a lot of permissions for no apparent reason should be avoided. Also, the credibility of a publisher can easily be researched if the user is unsure.

WiFi

Information can be stolen from devices when they are connected to public WiFi hotspots. Users should not do banking, shopping, or other tasks that expose personal information while connected to unsecured networks. This is not an issue unique to mobile devices, but because of the nature of mobile devices, they are more likely to be used in public places on these networks.

SMS

SMS attacks are generally similar to each other. Malicious software is installed on the phone by some means which continually sends unnoticed text messages from the user's phone to premium numbers which creates charges on the user's account. According to Kaspersky Labs, the SMS-Trojan was first discovered for the Android operating system in early 2011. The news report says, "The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform." To protect against these attacks, users should be cautious of what applications are installed on their devices and who the creators of the applications are.

SMS attacks can also simply be spam messages with links to malicious sites. The problem with this type of attack is that it must target specific phones in order to execute scripts that are compatible.

QR Codes

Because QR Codes are completely obfuscated by nature, they provide the means of taking curious smartphone users to malicious web sites. There are three ways QR codes can be maliciously presented to a user. The first method is placing a QR code by itself with no explanation or context, causing some people to get curious and scan it. The second way of getting people to scan the code is to place a stamp or sticker over an existing one so that it is disguised as a harmless QR code. The third way of presenting malicious codes to the public would be digitally through email.

QR Code attacks work by taking the person that scans it to a website that performs malicious activities. For example, according to darkreading.com, a QR code that is distributed to target iOS devices might navigate the web browser to a site that will jailbreak the phone and then install malware on it once the built in security can be altered.

To protect against these attacks, smartphone users should only scan QR codes with software that allow them to confirm the action the code elicits.